{"id":13784308,"url":"https://github.com/hmdolatabadi/AdvFlow","last_synced_at":"2025-05-11T19:32:41.821Z","repository":{"id":37639165,"uuid":"279718240","full_name":"hmdolatabadi/AdvFlow","owner":"hmdolatabadi","description":"[NeurIPS2020] The official repository of \"AdvFlow: Inconspicuous Black-box Adversarial Attacks using Normalizing Flows\".","archived":false,"fork":false,"pushed_at":"2023-10-03T21:32:08.000Z","size":1341,"stargazers_count":45,"open_issues_count":5,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-17T20:48:23.498Z","etag":null,"topics":["adversarial-machine-learning","black-box-attacks","neurips-2020","normalizing-flows"],"latest_commit_sha":null,"homepage":"https://hmdolatabadi.github.io/posts/2020/10/advflow/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hmdolatabadi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-07-14T23:55:37.000Z","updated_at":"2024-11-03T13:11:00.000Z","dependencies_parsed_at":"2024-01-17T02:16:06.887Z","dependency_job_id":"cb15ed1a-9be0-4ab0-8b7a-d759179b63de","html_url":"https://github.com/hmdolatabadi/AdvFlow","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmdolatabadi%2FAdvFlow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmdolatabadi%2FAdvFlow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmdolatabadi%2FAdvFlow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hmdolatabadi%2FAdvFlow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hmdolatabadi","download_url":"https://codeload.github.com/hmdolatabadi/AdvFlow/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253621286,"owners_count":21937498,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adversarial-machine-learning","black-box-attacks","neurips-2020","normalizing-flows"],"created_at":"2024-08-03T19:00:39.763Z","updated_at":"2025-05-11T19:32:41.551Z","avatar_url":"https://github.com/hmdolatabadi.png","language":"Python","funding_links":[],"categories":["📝 Publications \u003csmall\u003e(60)\u003c/small\u003e"],"sub_categories":[],"readme":"# AdvFlow\n\n*Hadi M. Dolatabadi, Sarah Erfani, and Christopher Leckie 2020*\n\n[![arXiv](http://img.shields.io/badge/arXiv-2007.07435-B31B1B.svg)](https://arxiv.org/abs/2007.07435)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n\nThis is the official implementation of NeurIPS 2020 paper [_AdvFlow: Inconspicuous Black-box Adversarial Attacks using Normalizing Flows_](https://arxiv.org/abs/2007.07435).\nA small part of this work, the Greedy AdvFlow, has been published in [ICML Workshop on Invertible Neural Networks, Normalizing Flows, and Explicit Likelihood Models](https://invertibleworkshop.github.io/accepted_papers/pdfs/36.pdf). A blog post explaining our approach can be found [here](https://hmdolatabadi.github.io/posts/2020/10/advflow/).\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/hmdolatabadi/hmdolatabadi.github.io/master/images/advflow/AdvFlow.gif\" width=\"95%\"\u003e\n\u003c/p\u003e\n\n## Requirements\n\nTo install requirements:\n\n```setup\npip install -r requirements.txt\n```\n\n## Training Normalizing Flows\n\nTo train the a flow-based model, first set `mode = 'pre_training'`, and specify all relevant variables in `config.py`. Once specified, run this command:\n\n```train\npython train.py\n```\n\n## Attack Evaluation\n\nTo perform AdvFlow black-box adversarial attack, first set the `mode = 'attack'` in `config.py`.\nAlso, specify the dataset, target model architecture and path by setting the `dataset`, `target_arch`, \nand `target_weight_path` variables in `config.py`, respectively. Once specified, run:\n\n```eval\npython attack.py\n```\n\nfor CIFAR-10, SVHN, and CelebA. For ImageNet, however, you need to run:\n\n```eval\npython attack_imagenet.py\n```\n\nFinally, you can run the Greedy AdvFlow by:\n\n```eval\npython attack_greedy.py\n```\n\n## Pre-trained Models\n\nPre-trained flow-based models as well as some target classifiers can be found [here](https://drive.google.com/file/d/18J8eh-KLaPq9vUe_TwhuQMBW4WKBVX0L/view?usp=sharing).\n\n## Results\n\n### Fooling Adversarial Example Detectors\n\nThe primary assumption of adversarial example detectors is that the adversaries come from a different distribution than the data.\nHere, we attack the CIFAR-10 and SVHN classifiers defended by well-known adversarial example detectors, and show that the adversaries generated by our model can mislead them more than the similar method of NATTACK. This suggests that we have come up with adversaries that have similar distribution to the data.\n\n\u003cp align=\"center\"\u003e\n    \u003cem\u003eTable: Area under the receiver operating characteristic curve (AUROC) and accuracy of detecting adversarial examples generated by \u003ca href=\"https://github.com/Cold-Winter/Nattack\"\u003eNATTACK\u003c/a\u003e and AdvFlow (un. for un-trained and tr. for pre-trained NF) using \u003ca href=\"https://github.com/xingjunm/lid_adversarial_subspace_detection\"\u003eLID\u003c/a\u003e, \u003ca href=\"https://github.com/pokaxpoka/deep_Mahalanobis_detector\"\u003eMahalanobis\u003c/a\u003e, and \u003ca href=\"https://github.com/EvZissel/Residual-Flow\"\u003eRes-Flow\u003c/a\u003e adversarial attack detectors.\u003c/em\u003e\n\u003c/p\u003e\n\u003ctable style=\"width:750px\" align=\"center\"\u003e\n\u003ctbody\u003e\n\u003ctr class=\"odd\"\u003e\n\u003cth style=\"text-align:left\" rowspan=\"2\"\u003eData\u003c/th\u003e\n\u003cth style=\"text-align:center\"\u003eMetric\u003c/th\u003e\n\u003cth style=\"text-align:center\" colspan=\"3\"\u003eAUROC(%)\u003c/th\u003e\n\u003cth style=\"text-align:center\" colspan=\"3\"\u003eDetection Acc.(%)\u003c/th\u003e\n\u003c/tr\u003e\n\u003ctr class=\"even\"\u003e\n\u003cth style=\"text-align:center\"\u003eMethod\u003c/th\u003e\n\u003cth style=\"text-align:center\"\u003e𝒩\u003cspan class=\"smallcaps\"\u003eAttack\u003c/span\u003e\u003c/th\u003e\n\u003cth style=\"text-align:center\"\u003eAdvFlow (un.)\u003c/th\u003e\n\u003cth style=\"text-align:center\"\u003eAdvFlow (tr.)\u003c/th\u003e\n\u003cth style=\"text-align:center\"\u003e𝒩\u003cspan class=\"smallcaps\"\u003eAttack\u003c/span\u003e\u003c/th\u003e\n\u003cth style=\"text-align:center\"\u003eAdvFlow (un.)\u003c/th\u003e\n\u003cth style=\"text-align:center\"\u003eAdvFlow (tr.)\u003c/th\u003e\n\u003c/tr\u003e\n\u003ctr class=\"odd\"\u003e\n\u003cth style=\"text-align:left\" rowspan=\"3\"\u003eCIFAR-10\u003c/th\u003e\n\u003ctd style=\"text-align:center\"\u003eLID\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e78.69\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e84.39\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e57.59\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e72.12\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e77.11\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e55.74\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr class=\"even\"\u003e\n\u003ctd style=\"text-align:center\"\u003eMahalanobis\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e97.95\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e99.50\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e66.85\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e95.59\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e97.46\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e62.21\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr class=\"odd\"\u003e\n\u003ctd style=\"text-align:center\"\u003eRes-Flow\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e97.90\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e99.40\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e67.03\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e94.55\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e97.21\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e62.60\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr class=\"even\"\u003e\n\u003cth style=\"text-align:left\" rowspan=\"3\"\u003eSVHN\u003c/th\u003e\n\u003ctd style=\"text-align:center\"\u003eLID\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e57.70\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e58.92\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e61.11\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e55.60\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e56.43\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e58.21\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr class=\"odd\"\u003e\n\u003ctd style=\"text-align:center\"\u003eMahalanobis\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e73.17\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e74.67\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e64.72\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e68.20\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e69.46\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e60.88\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr class=\"even\"\u003e\n\u003ctd style=\"text-align:center\"\u003eRes-Flow\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e69.70\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e74.86\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e64.68\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e64.53\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e68.41\u003c/td\u003e\n\u003ctd style=\"text-align:center\"\u003e\u003cstrong\u003e61.13\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\n## Acknowledgement\n\nThis repository is mainly built upon [FrEIA, the Framework for Easily Invertible Architectures](https://github.com/VLL-HD/FrEIA), and [NATTACK](https://github.com/Cold-Winter/Nattack).\nWe thank the authors of these two repositories.\n\n## Citation\n\nIf you have found our code or paper beneficial to your research, please consider citing them as:\n```bash\n@inproceedings{dolatabadi2020advflow,\n  title={AdvFlow: Inconspicuous Black-box Adversarial Attacks using Normalizing Flows},\n  author={Hadi Mohaghegh Dolatabadi and Sarah Erfani and Christopher Leckie},\n  booktitle = {Proceedings of the Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems ({NeurIPS})},\n  year={2020}\n}\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhmdolatabadi%2FAdvFlow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhmdolatabadi%2FAdvFlow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhmdolatabadi%2FAdvFlow/lists"}